Release Notes 1.5.24

DateTime: 1st June 2026, 13:46 AEDT

Overview

On the detection side, we introduced AI Agent detection and classification, with new profiling and models, support for the emerging AP2 agent-payments protocol, and refined timing-detection rules. Alongside that, JSON-RPC proxy step support lets you parse and reason about RPC payloads at the edge, enabling Darwinium to be deployed to risk assess requests going through MCP servers.

For builders, the headline is the new Journey Assistant / Recorder, rebuilt on top of the Chrome DevTools Protocol. It captures real user flows and turns them into journey definitions, speeding up journey discovery and mapping.

Dashboards are now unified across the Dashboards, Investigations and Incident views, and the unified widget has had a full round of polish. The AI chat assistant can now read TopX graph data, so you can ask questions directly against what a board is showing.

In the engine, we have greatly improved ability to provide Event Updates; they can now be performed against an identifier immediately after, no need to add delay.

For operations and admin, mTLS certificates now use a granular permission system, and the Certificates Admin and Users screens have been rebuilt for clarity. A new Python SDK for Labels opens up programmatic access to label data, and the Darwinium Portal now shows audit logs for label and incident actions.

Plus dozens of fixes across dashboards, investigations, journeys, and the identifier view.

Profiling Detections

✨ Agentic AI Detection & Classification

Agentic AI is now starting to make purchases and open accounts on behalf of users, becoming a new surface for fraud controls. We've released a model for distinguishing human-driven sessions from agent-driven ones, including profiling detections to generate signals as to why.

• New agent classification profiling and model. A new model distinguishes human-driven sessions from agent-driven ones, with profiling work to feed it the right signals.
• Refined timing detection rules. The rules that flag suspicious timing patterns have been tightened. We now catch agent-typical behaviour (uniform delays, super-human response times) more reliably, without firing on real users.
• Timing analysis primitives. Underlying timing analysis has been improved, returning more granular signals for use in your own rules.

Agentic AI Attributes

• profiling.agentic_ai.agent_probability
• profiling.agentic_ai.agent_likely
• profiling.agentic_ai.agent_name
• profiling.agentic_ai.signals : will begin populating in follow up minor release

🛜 Network & Connection Profiling

• Connection-type enrichment. IP intelligence now resolves connection type attributes, more reliably picking up hosting, VPN and proxy egress.

  Attributes:

  • profiling.tcp_connection[TcpConnectionContext].ipinfo.connection_type
  • profiling.tcp_connection[TcpConnectionContext].ipinfo.connection_type_attributes

• VPN detection model update. Improvements to the VPN model profiling.vpn_probability, classifying a wider range of VPN providers (e.g. OpenVPN, ProtonVPN, WireGuard) with higher confidence.

➡️ Journeys & Deployments

New Journey Assistant & Recorder

A new journey assistant / recorder captures real user interactions and turns them into journey definitions. The recorder has been rebuilt on the Chrome DevTools Protocol (CDP) rather than Playwright. CDP is the same protocol Chrome itself uses, so the recorder behaves more like a real browser session, with tighter access to the things journeys care about (network requests, page state, navigation events).

The AI backend of Journey Recorder has been rebuilt to pre-test all recommended definitions against the capture, preventing hallucinations.

Visit Record and Update Journeys through the Journey Overview page, spin up a recording, click through a user flow on your site, and you get a starting journey definition. The sidebar shows already-captured step types at the top of the list, where you can review, change filter and re-assign step types. At the bottom are suggestions of useful step types that have not yet been captured.

JSON-RPC Proxy Step (MCP Support)

JSON-RPC is now a first-class payload type for proxy steps. The edge can parse JSON-RPC requests and responses, extract attributes from them, and feed those attributes into your rules just like any other proxied step:

• Custom predicate This lets you define predicates against JSON-RPC fields, supporting JSONpath predicate syntax.
• Event-type processing parity. JSON-RPC steps now respect event-type processing the same way other proxy step types do.

Journey Editor

• Copy/paste steps across files. You can now move steps between journey files by copy and paste, which is faster than re-creating them.

Rules Editor v2

• Step visibility. The rules editor now shows which steps a rules file is attached to, so you can see where a change will take effect.
• Grid state retained. Column layout and selection in the rules editor are now preserved as you work, with snappier saving.

🗒️ Data & Real Time Engine

Update Event Improvements

The Update API event handler has been improved and now supports partial updates and edge cases around event order. Adding a delay before calling Update API on an identifier is no longer required.

Geolocation

Geolocation enrichment now resolves to state code and ZIP, not just country and city, with additional country-specific handling for finer-grained results. This makes more granular geo rules possible (regional risk scoring, jurisdictional routing) without needing a separate enrichment step.

hasAny Function

A new hasAny() function lets you write concise array-membership checks in rules. Instead of chaining multiple OR conditions, you pass a value and a list and get back a boolean. Cleaner rules, faster authoring.

WURFL Refresh

The WURFL device data file is now refreshed on a regular schedule. WURFL drives device-class identification (phone vs tablet vs bot signature), so keeping it current improves detection accuracy as new devices and bot frameworks appear.

Databricks Export

Databricks (via Google Cloud Storage) is now selectable from the data export UI, joining the other destinations added in 1.5.23. No need to wire it up through configuration.

📊 Dashboards & Investigations

Unified Dashboards

Dashboards are now unified. The same dashboards and widgets are available everywhere you work (Dashboards view, Investigations view, Incident view).

The unified widget has also been through a full round of polish. The most visible changes:

• Dashboard filtering. A new filtering layer applies at the dashboard level rather than per widget, so you can slice an entire board without editing every card.
• Clearer errors. Invalid widget settings now show a readable "invalid settings" message instead of raw system errors leaking through.
• Tooltip fixes. Tooltip clipping is resolved, and the missing tooltip explanations have been restored.
• TopX button improvements. The action buttons on TopX cards have been cleaned up, and the redundant "additional filter" in board mode has been removed.
• Coherent board menu. The board-level menu is now consistent across widget types.
• Deployment annotations on time-series. Time-series graphs can now annotate the points where deployments happened, so you can correlate signal shifts with the build that caused them.
• Conditional server-side functions. Conditional expressions inside server-side functions now evaluate correctly in TopX dashboards.

Other quality-of-life improvements:

• Aggregated columns on the Signals dashboard, so you can summarise across rows.
• Query virtual columns as TopX inputss. You can now define virtual columns within the With The Same field of any TopX widget to allow aggregation over a custom expression.
• with_the_same is now optional across all TopX configurations allowing to see aggregates over the whole data set, without respect for grouping.
• TimeSeriesCount migrated to TopX velocity, consolidating two overlapping primitives into one.
• TopX boards in Investigations. TopX boards are now available directly within the Investigations Query view, not just on dashboards.
• Model boxplots dashboard. A new dashboard visualises model score distributions as boxplots, making drift and outliers easier to spot.
• Aggregate stats usability. Aggregate stats on dashboards are easier to set up and read.

Investigations Date Picker

The Investigations view date picker now includes more options, fitting the common "what's happened in the last few hours" investigation pattern between the existing 1-hour and 1-day options. We've also resolved several date-range and re-render bugs on dashboard widgets.

Sidebar Improvements

The event detail sidebar has gained several new capabilities:

• Rendering of Expressions with Signals. Logic that a signal is based on is displayed alongside the signal.
  
• AI Agent When an event is classified as agent-driven, the sidebar now shows the underlying AI agent signature so you can see what was matched.
• Device signature debugging. Device signature details are now rendered in an interpretable form directly in the sidebar, so you can see how a fingerprint was constructed without manually decoding it.
• Device signature comparison tooltip. When two device signatures are different but event-compare shows a 100% match, a tooltip explains why this is expected.
• Event timings sidebar. A new sidebar section breaks down the timing of each phase of an event, useful for diagnosing latency issues or unusual processing patterns.
• Per-entry map filtering & cleaner detail cards. Map entries can be filtered individually, attributes flagged as hidden are no longer shown, and URLs in detail cards are rendered as clickable links.
• Custom Attributes filter menu. Custom attributes in the Event Details sidebar now have their own filter menu.
• Identifier Signals are now visible in the sidebar inside an accordion menu. See whether an identifier contained special characters and search for similar identifiers, even without PII permissions.
• Signals Now are rendered with description first, if available, to make meaning clearer.

Identifier View

Improvements to the identifier view this release:

• Template support. You can now save and reuse template configurations on the identifier view, the same way you can on the main Investigations view.
• Faster and more stable thanks to reworked state management under the hood.

Events Grid

• Icons for countries, operating systems and risk ratings.
• Column Visualization available in header hamburger menu for virtual columns.
  

🏷️ Labels & Incident Management

Python SDK for Labels

A new Python SDK gives you programmatic access to labels. This makes it practical to integrate labels into batch workflows, data science notebooks, or scheduled jobs without going through the Portal.

Updated Labels API & UI

The Labels API has been updated with new endpoints and the Portal UI has been refreshed to match. Existing integrations continue to work. The new endpoints add capabilities rather than replacing the old ones.

CSV Export

• Export from the Labels tab. A new export option lets you download the contents of the labels view as CSV.
• PII user fix. CSV export now works correctly when the requesting user has PII access, resolving a case where the export silently produced an empty file.

Notes & Metadata in the Portal

Notes and metadata added through Labels or Incident Management are now visible in the Darwinium Portal's investigation views, so analysts have the full context attached to an event without switching tools.

Incident Management

• All-incidents-in-queue view. A new view shows every incident in a queue along with who it's assigned to, giving leads a single-pane look at workload distribution.
• Audit logs. Label add/delete and incident take/reassign/close actions are now written to the Portal's audit log, so you have a full record of who did what.

Email Risk

• Suspicious-email-domain list. A managed list of suspicious email domains is now maintained for you with risk scores and signals attached, so you can match against known-bad domains without maintaining your own list.
• Disposable-email refresh. The disposable-email detection list is now refreshed on a schedule, keeping it current as new disposable providers appear.

🔐 Admin, Auth & Security

Users & Roles

• Roles, last sign-in, Excel export. The Users screen in the Portal now shows each user's roles and last sign-in time, and supports Excel export for offline review.
• Assign roles inline. You can now assign roles directly when adding or editing a user, rather than going through a separate roles screen.

Certificates

• Certificates Admin redesign. The Certificates Admin page has been rebuilt for better usability.
• Granular mTLS permissions. mTLS certificates now use a granular permission system. Each certificate's allowed operations are controlled explicitly, replacing the previous all-or-nothing model. Certificates created before this release retain their existing capabilities. New certificates are created with explicit permissions from the start. As part of this change, unimplemented Events/Deploy options have been hidden and Python SDK scope has been clarified.

Secrets Management

The secrets management experience has been improved, making it easier to add, rotate, and reference secrets used by your deployment.

❗️ Changed Behaviour

Deployment will now fail if attempting to deploy to a Cloudfront distribution that does not actually manage the hosts configured for this target. This is a safety feature to prevent misconfiguration. Please fix the host and deployment will succeed.

System will no longer allow you to commit a configuration where a snippet from Darwinium Marketplace has been configured with a wrongly typed parameter. This is a safety feature to prevent errors after deployment

🛠️ Fixes

• Dashboards. Cascading delete fixed, card legend overlap resolved, unsaveable graph configs now save, signal selection no longer breaks, card config clears correctly after modal close, broken time-series timescales fixed, "straight-into-error" time-series cards recovered, copy-graph restored, graph icon layering corrected, PII rendering on dashboards fixed, filters now handle special characters, settings button restored for graph editing, legend alignment regression resolved, and column-width collapse fixed.
• Signals dashboard. Spaces in column names no longer cause unrecoverable errors, the label-check filter is now accepted in the UI, cross-category multi-select label-context filters return the expected results, and signals-over-time config now persists correctly.
• Investigations. Column-order persistence works when saving to templates, query state persists between nodes, raw-data is viewable for the last event on a page, zoom auto-refresh works, the grid returns to the first page on query update, sidebar text overlap fixed, AG grid column widths preserved across tabs, string-array values no longer break Visual Query Pill, event-sidebar refresh stabilised, and IP address decryption fixed.
• Journeys. a journey-file read failure on the content server has been resolved, journey view auto-refresh restored, and the template dropdown is fixed in Investigations Journey.
• Event types & identifiers. EventType MiscOther behaviour corrected, event-type / step-summary / feature-config mismatches resolved, identifier copy and query no longer return empty, event-type graphs load correctly with saved queries, identifier-view buttons and graph state stabilised, and identifier-graph select-all/none state corrected.
• Operations. Node type now displays correctly in the cluster UI, background job stability improved, role-sync bug resolved, and incident-admin view now shows correctly when IM is configured.
• Labels. Pagination works on small datasets, seed-label add error resolved, an export caching bug fixed, the labels page test-main regression is fixed, and typo fixes across the labels UI.
• Edge & deployments. CloudFront cookie-forward detection added, linode call_url SNI support, geolocation gaps in some browsers resolved, iframe biometrics fixed, and ipinfo location merger config corrected.